Singed Firefox 16 Makes a Quick Comeback

Mozilla has nipped a Firefox 16 security scare in the bud with an update that patches a flaw it considered so serious that it briefly pulled the day-old release, warning users to revert to an earlier version. Those who installed the new browser and didn't get -- or heed -- the warning will automatically receive the patch. The browser is once again available for download.

The vulnerability could potentially let a malicious site determine which websites users have visited and give it access to more detailed browsing information, Michael Coates, Mozilla's director of security assurance, said. The warning was issued Wednesday night.

Mozilla is working on patches, and users can either revert to v 15.0.1 or wait until the foundation issues and applies the patches automatically to fix the flaw.

"Unlike prior vulnerabilities in browsers that required the malicious code to compare output from the browser against a master list of URLs to find some patterns of Internet use, the current vulnerability allows attackers to simply query the browser and have it return full URL paths visited," Frank Artes, a research director at
NSS Labs, told TechNewsWorld.

"Mozilla is aware of a security vulnerability in the current release version of Firefox and is working to get a fix for the issue as soon as possible," Shannon Prior, a spokesperson for the Mozilla Foundation, told TechNewsWorld. "Users will automatically be upgraded to the [patched] version as soon as it becomes available."

More Information on the Vulnerability

Mozilla "has not been forthcoming with any information as to what the exact issue was. The only communication by anyone has been the security blog post," said Mike Kaply, founder of
Kaply Consulting. "By looking through the code, it appears to be related to iframes."

An iframe places an HTML document in a frame inside another HTML document. It's often used to hide malicious links.

The Possible Impact of the Flaw

It's possible to craft code that would have the browser present the full URL paths that were visited by users, NSS Labs' Artes said. That would let hackers see what users were searching on the sites they visited.

"Additionally, with some
regex work, you can have the browser provide you with usernames used on the websites," Artes said Some proof-of-concept code has been posted that displays the ability to pull cached usernames.

The historical information that can be obtained by exploiting this flaw can be used to target ad placement and other uses of this metadata regarding customers, Artes suggested.

The vulnerability doesn't let hackers see the server and domain names of other sites users have visited, Artes remarked.

Doing the Right Thing

"So far, we have seen proof-of-concept code posted, but have not heard of people being affected by this [vulnerability,]" NSS Labs' Artes said. "If you had been affected by this you might not realize it for some time, if at all."

Firefox "has done a great job by pulling the download from the site and advising customers to go back to a version of 15.x, even knowing there are still some outstanding security vulnerabilities in 15 that were fixed within 16," Artes continued.

Mozilla has not stated how the vulnerability was discovered.

"With security vulnerabilities, it's hard," Kaply said. "You want to do the right thing by users, but you also don't want to give malware developers the upper hand."